1 /* $OpenBSD: gostr341001.c,v 1.7 2017/01/29 17:49:23 beck Exp $ */
3 * Copyright (c) 2014 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
4 * Copyright (c) 2005-2006 Cryptocom LTD
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in
15 * the documentation and/or other materials provided with the
18 * 3. All advertising materials mentioning features or use of this
19 * software must display the following acknowledgment:
20 * "This product includes software developed by the OpenSSL Project
21 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
23 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
24 * endorse or promote products derived from this software without
25 * prior written permission. For written permission, please contact
26 * openssl-core@openssl.org.
28 * 5. Products derived from this software may not be called "OpenSSL"
29 * nor may "OpenSSL" appear in their names without prior written
30 * permission of the OpenSSL Project.
32 * 6. Redistributions of any form whatsoever must retain the following
34 * "This product includes software developed by the OpenSSL Project
35 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
37 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
38 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
39 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
40 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
41 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
42 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
43 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
44 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
45 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
46 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
47 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
48 * OF THE POSSIBILITY OF SUCH DAMAGE.
49 * ====================================================================
54 #include <openssl/opensslconf.h>
56 #ifndef OPENSSL_NO_GOST
57 #include <openssl/bn.h>
58 #include <openssl/err.h>
59 #include <openssl/gost.h>
62 #include "gost_locl.h"
64 /* Convert little-endian byte array into bignum */
66 GOST_le2bn(const unsigned char *buf, size_t len, BIGNUM *bn)
68 unsigned char temp[64];
74 for (i = 0; i < len; i++) {
75 temp[len - 1 - i] = buf[i];
78 return BN_bin2bn(temp, len, bn);
82 GOST_bn2le(BIGNUM *bn, unsigned char *buf, int len)
84 unsigned char temp[64];
87 bytes = BN_num_bytes(bn);
88 if (len > 64 || bytes > len)
93 for (i = 0; i < bytes; i++) {
94 buf[bytes - 1 - i] = temp[i];
97 memset(buf + bytes, 0, len - bytes);
103 gost2001_compute_public(GOST_KEY *ec)
105 const EC_GROUP *group = GOST_KEY_get0_group(ec);
106 EC_POINT *pub_key = NULL;
107 const BIGNUM *priv_key = NULL;
112 GOSTerror(GOST_R_KEY_IS_NOT_INITIALIZED);
117 GOSTerror(ERR_R_MALLOC_FAILURE);
121 if ((priv_key = GOST_KEY_get0_private_key(ec)) == NULL)
124 pub_key = EC_POINT_new(group);
127 if (EC_POINT_mul(group, pub_key, priv_key, NULL, NULL, ctx) == 0)
129 if (GOST_KEY_set_public_key(ec, pub_key) == 0)
135 GOSTerror(ERR_R_EC_LIB);
137 EC_POINT_free(pub_key);
146 gost2001_do_sign(BIGNUM *md, GOST_KEY *eckey)
148 ECDSA_SIG *newsig = NULL;
149 BIGNUM *order = NULL;
150 const EC_GROUP *group;
151 const BIGNUM *priv_key;
152 BIGNUM *r = NULL, *s = NULL, *X = NULL, *tmp = NULL, *tmp2 = NULL, *k =
155 BN_CTX *ctx = BN_CTX_new();
159 GOSTerror(ERR_R_MALLOC_FAILURE);
163 newsig = ECDSA_SIG_new();
164 if (newsig == NULL) {
165 GOSTerror(ERR_R_MALLOC_FAILURE);
170 group = GOST_KEY_get0_group(eckey);
171 if ((order = BN_CTX_get(ctx)) == NULL)
173 if (EC_GROUP_get_order(group, order, ctx) == 0)
175 priv_key = GOST_KEY_get0_private_key(eckey);
176 if ((e = BN_CTX_get(ctx)) == NULL)
178 if (BN_mod_ct(e, md, order, ctx) == 0)
182 if ((k = BN_CTX_get(ctx)) == NULL)
184 if ((X = BN_CTX_get(ctx)) == NULL)
186 if ((C = EC_POINT_new(group)) == NULL)
190 if (!BN_rand_range(k, order)) {
191 GOSTerror(GOST_R_RANDOM_NUMBER_GENERATOR_FAILED);
195 * We do not want timing information to leak the length
196 * of k, so we compute G*k using an equivalent scalar
197 * of fixed bit-length.
199 if (BN_add(k, k, order) == 0)
201 if (BN_num_bits(k) <= BN_num_bits(order))
202 if (BN_add(k, k, order) == 0)
205 if (EC_POINT_mul(group, C, k, NULL, NULL, ctx) == 0) {
206 GOSTerror(ERR_R_EC_LIB);
209 if (EC_POINT_get_affine_coordinates_GFp(group, C, X,
211 GOSTerror(ERR_R_EC_LIB);
214 if (BN_nnmod(r, X, order, ctx) == 0)
216 } while (BN_is_zero(r));
217 /* s = (r*priv_key+k*e) mod order */
219 if ((tmp = BN_CTX_get(ctx)) == NULL)
222 if (BN_mod_mul(tmp, priv_key, r, order, ctx) == 0)
225 if ((tmp2 = BN_CTX_get(ctx)) == NULL)
228 if (BN_mod_mul(tmp2, k, e, order, ctx) == 0)
230 if (BN_mod_add(s, tmp, tmp2, order, ctx) == 0)
232 } while (BN_is_zero(s));
242 ECDSA_SIG_free(newsig);
249 gost2001_do_verify(BIGNUM *md, ECDSA_SIG *sig, GOST_KEY *ec)
251 BN_CTX *ctx = BN_CTX_new();
252 const EC_GROUP *group = GOST_KEY_get0_group(ec);
254 BIGNUM *e = NULL, *R = NULL, *v = NULL, *z1 = NULL, *z2 = NULL;
255 BIGNUM *X = NULL, *tmp = NULL;
257 const EC_POINT *pub_key = NULL;
263 if ((order = BN_CTX_get(ctx)) == NULL)
265 if ((e = BN_CTX_get(ctx)) == NULL)
267 if ((z1 = BN_CTX_get(ctx)) == NULL)
269 if ((z2 = BN_CTX_get(ctx)) == NULL)
271 if ((tmp = BN_CTX_get(ctx)) == NULL)
273 if ((X = BN_CTX_get(ctx)) == NULL)
275 if ((R = BN_CTX_get(ctx)) == NULL)
277 if ((v = BN_CTX_get(ctx)) == NULL)
280 if (EC_GROUP_get_order(group, order, ctx) == 0)
282 pub_key = GOST_KEY_get0_public_key(ec);
283 if (BN_is_zero(sig->s) || BN_is_zero(sig->r) ||
284 BN_cmp(sig->s, order) >= 1 || BN_cmp(sig->r, order) >= 1) {
285 GOSTerror(GOST_R_SIGNATURE_PARTS_GREATER_THAN_Q);
289 if (BN_mod_ct(e, md, order, ctx) == 0)
293 if ((v = BN_mod_inverse_ct(v, e, order, ctx)) == NULL)
295 if (BN_mod_mul(z1, sig->s, v, order, ctx) == 0)
297 if (BN_sub(tmp, order, sig->r) == 0)
299 if (BN_mod_mul(z2, tmp, v, order, ctx) == 0)
301 if ((C = EC_POINT_new(group)) == NULL)
303 if (EC_POINT_mul(group, C, z1, pub_key, z2, ctx) == 0) {
304 GOSTerror(ERR_R_EC_LIB);
307 if (EC_POINT_get_affine_coordinates_GFp(group, C, X, NULL, ctx) == 0) {
308 GOSTerror(ERR_R_EC_LIB);
311 if (BN_mod_ct(R, X, order, ctx) == 0)
313 if (BN_cmp(R, sig->r) != 0) {
314 GOSTerror(GOST_R_SIGNATURE_MISMATCH);
327 /* Implementation of CryptoPro VKO 34.10-2001 algorithm */
329 VKO_compute_key(BIGNUM *X, BIGNUM *Y, const GOST_KEY *pkey, GOST_KEY *priv_key,
332 BIGNUM *p = NULL, *order = NULL;
333 const BIGNUM *key = GOST_KEY_get0_private_key(priv_key);
334 const EC_GROUP *group = GOST_KEY_get0_group(priv_key);
335 const EC_POINT *pub_key = GOST_KEY_get0_public_key(pkey);
340 pnt = EC_POINT_new(group);
347 if ((p = BN_CTX_get(ctx)) == NULL)
349 if ((order = BN_CTX_get(ctx)) == NULL)
351 if (EC_GROUP_get_order(group, order, ctx) == 0)
353 if (BN_mod_mul(p, key, ukm, order, ctx) == 0)
355 if (EC_POINT_mul(group, pnt, NULL, pub_key, p, ctx) == 0)
357 if (EC_POINT_get_affine_coordinates_GFp(group, pnt, X, Y, ctx) == 0)
371 gost2001_keygen(GOST_KEY *ec)
373 BIGNUM *order = BN_new(), *d = BN_new();
374 const EC_GROUP *group = GOST_KEY_get0_group(ec);
377 if (order == NULL || d == NULL)
379 if (EC_GROUP_get_order(group, order, NULL) == 0)
383 if (BN_rand_range(d, order) == 0) {
384 GOSTerror(GOST_R_RANDOM_NUMBER_GENERATOR_FAILED);
387 } while (BN_is_zero(d));
389 if (GOST_KEY_set_private_key(ec, d) == 0)
391 rc = gost2001_compute_public(ec);